Re: SecureBoot certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I also have a recently updated F38 with shim-x64-15.6-2.x86_64. The BOOTX64.EFI file has two certificates
  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows UEFI Driver Publisher   Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011 

The first one's validity is
            Not Before: Sep  9 19:40:20 2021 GMT
            Not After : Sep  1 19:40:20 2022 GMT

and the second's:
            Not Before: Jun 27 21:22:45 2011 GMT
            Not After : Jun 27 21:32:45 2026 GMT
Are these certs for different purpose, or is the second one supposed to supersede the previous one? 

On 5/31/23 09:57, Steve Grubb wrote:

On Tuesday, May 30, 2023 10:00:53 PM EDT Chris Murphy wrote:

On Fri, May 26, 2023, at 10:20 AM, Steve Grubb wrote:

sbattach --detach signature  /boot/efi/EFI/BOOT/BOOTX64.EFI
openssl pkcs7 -inform DER -in signature -text -print_certs >
shim-certs.txt>
         Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,

CN=Microsoft Corporation UEFI CA 2011

         Validity
Not Before: Sep 9 19:40:20 2021 GMT 
             Not After : Sep  1 19:40:20 2022 GMT

What version of shim do you have installed? What edition/spin are you
using?

This is plain old F38. The shim is shim-x64-15.6-2.x86_64


I have shim-x64-15.6-2.x86_64 and it's reporting

             Not Before: Jun 27 21:22:45 2011 GMT
             Not After : Jun 27 21:32:45 2026 GMT

A possible explanation is rpm-ostree derivatives may show a current version
grub and shim, but those are not copied to the EFI System partition.
That's the job of bootupd but I'm not sure if that's fully implemented yet
in Fedora.

Appearantly not. But rpm -qf  /boot/efi/EFI/BOOT/BOOTX64.EFI shows it is owned
by the shim. locate BOOTX64.EFI only shows one location, the previously
mentioned path.

I understand that certificate validation cannot take time and date into
account during boot because you have no idea if the system clock is accurate
until the whole OS can run a NTP sync. But I am just surprised my system has
binaries with expired signatures.

-Steve

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux